[RAC][Meta] Consolidate the two indexing implementations in rule_registry plugin

[banderror]

Summary

Consolidate #98353 and #98935 into a single implementation.

We ended up having 4 implementations of index management/writing/reading related/similar to the problem we're trying to solve in RAC: two in rule_registry (RuleDataService and EventLogService), one in security_solution (for .siem-signals index), one in event_log plugin. We should compare them, mind their strong and weak parts and build a consolidated implementation in rule_registry.

High-level plan:

• Build the consolidated implementation based on RuleDataService and RuleDataClient. Enhance it, improve its API for better and safer DX, improve its implementation, especially the part responsible for index bootstrapping.
• Remove the 2nd implementation (EventLogService) from rule_registry.
• We will naturally get rid of the old .siem-signals implementation in Security once we migrate the Detection Engine to rule_registry.
• Alerting framework will continue to use the event_log plugin for their monitoring needs. Also, we're planning to implement Rule Execution Log in Security based on event_log ([Security Solution] Extend event_log plugin with functionality required for Rule Execution Log #106347, [RAC][Security Solution][Detections] Rule Execution Log - technical implementation #101013).

Regarding robust index bootstrapping, consider this:

• Race conditions during index bootstrapping should be handled one way or another. Possible options: a) robust idempotent logic with error handling; b) leveraging task_manager to make sure bootstrapping procedure runs only once at a time; c) using some sort of distributed lock, and d) maybe something else I'm missing. Maybe we could check how Saved Objects service bootstraps .kibana index.
• Errors should be handled correctly. Pay special attention to errors from Elasticsearch APIs.

When the consolidated implementation is ready, make sure to update all references to it from plugins which already use it: security_solution, observability, apm, uptime, etc.

Tasks for 7.15

• [RAC][Rule Registry] Improve the API of RuleDataService and RuleDataClient #106421
• [RAC] Add mapping update logic to RuleDataClient #102586
• [RAC] Enhance index bootstrapping logic with support for additional aliases and proper ILM rollover per namespace #106428
• [RAC] Index naming: change the way index prefix works #106432
• [RAC] Turn off RAC features for those using multi tenancy #108393
  • [RAC] Disable RAC multi-tenancy #108506
• [RAC] Remove EventLogService implementation from rule_registry #106433
• [RAC][Rule Registry] Namespaces that are prefixes of other namespaces can cause unexpected behaviors #107704
• [RAC] Make sure index names comply with design architecture #102089
• [RAC] Rule registry index bootstrapping: implement suggestions for backwards compatibility #109293
• [RAC][Rule Registry] Put index upgrade logic under a feature flag #110594
• [RAC] [Observability] Alert documents are not updated as expected when the write index changes #110519
  • Check if anyone else uses ruleDataClient.bulk() - ✔️ @banderror
• [RAC] Alert ILM policy shouldn't delete old indices after rollover #111029

Tasks for 7.16

• [RAC][Rule Registry] Write an RFC for index bootstrapping and backwards compatibility #110800
• [RAC][Rule Registry] BUG: Duplicated documents written after index bootstrapping #110499
• [RAC][Rule Registry] BUG: Component template bootstrapping fails on conflicting fields #109816
• [Security Solution][Alerts] Add tests for changes in the schema #110798
• [RAC][Rule Registry] Index bootstrapping: make index upgrade logic compatible with adding field aliases and runtime fields to old indices for backwards compatibility #110795 - address before the next release that makes any mapping changes
• [RAC] [Rule Registry] Update old index mappings and index templates on change #108941
• [RAC][Rule Registry] Add tests for RuleDataService and RuleDataClient #110804
• [RAC][Rule Registry] Update README #110807
• [Rule Registry] Default index settings and ILM policy for all indices #111152
• Custom index settings and ILM policy for security alerts. Do we need it?
• [RAC][Rule Registry] Updating old alerts by "reindexing" them into the current write index #111165
• [RAC][Rule Registry] Investigate why getAuthorizedAlertsIndices includes Kibana space id into the index name #111154
• [RAC][Rule Registry] Make endpoints for updating alerts consistent #111162

Backlog

Indexing and index bootstrapping logic:

• [RAC][Rule Registry] Index bootstrapping: make it more robust #106425
• [RAC] RAC framework calls to ES should wrap their own errors #106315
• [RAC][Rule Registry] Cache rule data writers and index bootstrapping #110945
• [RAC][Rule Registry] Applying aliases/runtime fields to old indices for backwards compatibility #110808
• [RAC][Rule Registry] UI/UX around timeouts and errors during index bootstrapping #111170

API enhancements for RuleDataService and RuleDataClient:

• [RAC][Rule Registry] Implement RuleDataService.getReader() that skips index bootstrapping #111173
• [RAC][Rule Registry] Implement separate methods for writing new alerts and updating existing ones #111175
• Static TypeScript typing for documents written via RuleDataClient
  • part of [RAC][Rule Registry] Improve the API of RuleDataService and RuleDataClient #106421
• [RAC] RuleDataClient writer should handle inserting required fields into new alert documents #107980

User-defined resources::

• [RAC][Discuss] Support for user-defined field mappings in .alerts indices #103777
• User-defined index settings?
• User-defined ILM policy per index (registration context + dataset)
• User-defined ILM policy per namespace

Misc:

• [RAC][Rule Registry] Small clean-ups #111470
• [RAC][Rule Registry] Rename "rule registry" to "alerts as data" #111500

Consider these as well:

• [RAC] Existence of index template should be verified before index is created #100452
• [Security Solution][Alerts] Use dynamic mappings to create smaller templates & mappings #100884

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[banderror]

We had a chat with @marshallmain last week and here's a summary of what we discussed and how decided to proceed with the consolidated implementation:

• We'd like the consolidated implementation to have an API mostly compatible with EventLogService ([RAC] Rule monitoring: Event Log for Rule Registry #98353), but many implementation details (especially around index bootstrapping) taken from RuleDataService/RuleDataClient ([RAC] Decouple registry from alerts-as-data client #98935).
• We'd like it to provide a schema for documents (alerts, events) so that we could have static compiler checks in the code.
• We'd like to decouple the implementation from FieldMap. We'd leave FieldMap in the code, but remove it from generic parameters of classes and functions, making it a helper utility, rather than a hard dependency of the consolidated implementation.
• We'd like the implementation to be based on component templates and the new idex template API.
  • Leveraging component templates would allow us to address one specific problem we have in Security Solution with users who need to be able to extend or override detection alert mappings.
• We'd like to have index bootstrapping logic similar to what we already have in Security Solution.
• We'd like component/index templates to be versioned, so that when we change the schema in the code, we could update templates and rollover indices - all that based on the versioning.

[banderror]

I opened a draft PR (#101453) for the consolidated implementation. Here's a comparison of the 3 implementations in rule_registry:

Feature	RuleDataService	EventLogService	Consolidated implementation
Schema	Implicit, schema-less (indexing function accepts documents as any)	Explicit schema for documents	Explicit schema for documents
Dependency on FieldMap	No hard dependency	Hard dependency	No hard dependency
Component templates	Yes	No	Yes
Versioning of schema, mappings, settings	No	No	Yes
Soft document migrations (index rollover)	No	No	Yes
Index management API	Imperative	Declarative	Declarative
Index management encapsulation	Low-level methods are exposed to clients, clients are responsible for correct implementation of index management	Low-level methods are encapsulated, machanism is responsible for index management	Low-level methods are encapsulated, machanism is responsible for index management

[banderror]

cc @tsg @spong @xcrzx @marshallmain @jasonrhodes @dgieselaar @smith @gmmorris

[banderror]

One more thing I forgot to mention is about component templates. In the consolidated implementation, I'm proposing the following "architecture" for templates (as you can see here and here in the code):

During index bootstrapping a number of templates will be created by the Event Log mechanism. They will have a certain order of precedence and the "next" template will override properties from all the "previous" ones. Here's the list of templates from "start" (most generic, least precedence) to "finish" (most specific, most precedence):

1. Mechanism-level .alerts-mappings component template. Specified internally by the Event Log mechanism. Contains index mappings common to all logs (observability alerts, security execution events, etc).
2. Mechanism-level .alerts-settings component template. Specified internally by the Event Log mechanism. Contains index settings which make sense to all logs by default.
3. Log-level .alerts-{log.name}-app application-defined component template. Specified and versioned externally by the application (plugin) which defines the log. Contains index mappings and/or settings specific to this particular log. This is the place where you as application developer can override or extend the default framework mappings and settings.
4. Log-level .alerts-{log.name}-user user-defined component template. Specified internally by the Event Log mechanism, is empty, not versioned. By updating it, the user can override default mappings and settings.
5. Log-level .alerts-{log.name}-user-{spaceId} user-defined space-aware component template. Specified internally by the Event Log mechanism, is empty, not versioned. By updating it, the user can override default mappings and settings of the log in a certain Kibana space.
6. Log-level .alerts-{log.name}-{spaceId}-template index template. Its version and most of its options can be specified externally by the application (plugin) which defines the log. This is the place where you as application developer can override user settings. However, mind that the Event Log mechanism has the last word and injects some hard defaults into the final index template to make sure it works as it should.

Template #6 overrides #5, which overrides #4, which overrides #3, etc. More on composing multiple templates in the docs:
https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-put-template.html#multiple-component-templates

Mechanism-level .alerts-mappings and .alerts-settings component templates are managed purely by the mechanism, bootstrapped on rule_registry plugin start, common to all logs defined via the consolidated implementation, and it's not possible for a client (application/plugin) to change them. It's only 2 of them in the cluster.

All the other log-level templates (3 component templates and 1 index template) are created per each log defined via the consolidated implementation.

As a developer defining a log (and thus its mappings and settings), you are able to specify templates #3 (application-defined component template) and optionally #6 (index template).

[banderror]

@marshallmain @madirey @peluja1012 @xcrzx @ecezalp @spong here's my 2 cents on our consolidation efforts and #101453 vs #102586

This is all just my subjective opinion, my understanding might be incomplete, and I don't have any strong opinions on anything below.

#101453

Pros:

• Provides an explicit TypeScript schema for documents (alerts, events) based on io-ts. This gives us 2 things: 1) static compiler checks and 2) ability to implement validation-on-write and/or normalization-on-read, if we wish to add it. Not a critical thing, but very nice to have, and as we discussed (and as far as I understood), we will likely want to have this in the final implementation.
• Provides a declarative way of defining a log (its name, TypeScript schema, templates, ILM policy). Instead of imperatively calling a bunch of methods to bootstrap a log, a developer defines an object describing it, and then resolves this definition to get the actual log client.
• This design allows to encapsulate the mechanism of index bootstrapping, which is a good thing in my opinion. I'm not sure the implementation should give a lot of flexibility for solutions in terms of index bootstrapping, this might and likely will lead to inconsistencies in terms of naming of index and component templates, how many templates each solution uses, when it bootstraps them, in which order, etc. I just don't think this is a necessary flexibility. I feel like encapsulating low-level details is better than exposing them via methods and making a solution responsible for proper index bootstrapping.
• I tried to add this sort of flexibility by introducing a system of standardised component templates (see [RAC][Meta] Consolidate the two indexing implementations in rule_registry plugin #101016 (comment)). This is a draft and could be tweaked for our needs, e.g. we could remove space id from there and make all these parts shared between spaced, this is an implementation detail.

Cons:

• All the current clients already using RuleDataService would need to be updated and migrated to the implementation based on EventLogService. This should not be a huge deal, but considering the fact that we wanted to have a consolidated implementation by 7.14 FF, this is now a big risk.
• This migration would need to be reviewed and approved by Observability team => so it would take even more time and possible friction.

#102586

Pros:

• Fixes the most important part (index bootstrapping) in RuleDataService. Even without explicit schema and everything else, this should be enough to use this as a consolidated implementation. So we could move forward sooner.

Cons:

• Opposite to the draft based on EventLogService: no schema, no encapsulation (exposing low-level methods for index bootstrapping), imho too much flexibility and so on.

Random thoughts regarding a system of component templates and their versioning

I really liked the implementation in #102586 which puts a version in the _meta of each template => which gets propagated to the final index template => which gets propagated to the index:

_meta: {
  "versions": {
      ".alerts-security-solution-index-template": 1,
      ".alerts-security-solution-mappings": 1,
      ".alerts-ecs-mappings": 1,
      ".alerts-technical-mappings": 1
   }
}

I also like the idea of lazy index creation. FWIW, in #101453 index bootstrapping is also done lazily. The difference is in #102586 more parts are shared between spaces, and so 2/3 of the bootstrapping happens outside of RuleDataClient (client of a concrete log) and 1/3 inside (index rollover or creation). Whereas in #101453 most of the index bootstrapping is done by the client of a concrete log.

I'm wondering however what do you think about standardizing templates similar to how I did it in the draft (see #101016 (comment)).

Random thoughts regarding the new agreement on namespacing strategy

Let me copy-paste this to here

Rationale and proposed UI for the {namespace} portion
The {namespace} portion of the index naming strategy is meant to provide flexibility for our users to segment the Alerts data in different ways, similar to how the data stream naming strategy has a {namespace} that can be used for different use cases. For example, users might want different ILM policies for the alerts created by some rules compared to others.

We generally don’t want to make a direct connection between this concept of {namespace} and Kibana spaces. Users can choose to include the Kibana space id in the {namespace}, but they might also choose some other means to segment the data.

Therefore, we’d like the {namespace} to be configurable on a per-rule basis via a simple text input widget. The value of the {namespace} is saved in the Rule object. In addition, there will be a Kibana advanced setting per space that defines the default value of this input widget.

In other words, users that would like to separate alerts in different indices by using the space IDs can configure the value of the Kibana advance setting to be equal to the space ID. When creating a new rule in that space, the {namespace} option will be pre-filled with the space ID. They can still change it on every rule if they wish to.

Note about multi-space future: This should continue to work the same way even when multi-space rules become available. The namespace value will be stored on each rule, so it will continue to be tied to the space in which it was created. A user who shares that rule to a 2nd space, for example, would need to decide for themselves the best namespace value in that scenario. A warning could be shown at Rule sharing time indicating the index in which the alerts will be written and giving the user the opportunity to change it. Newly created rules would continue to read in the “default value” from the advanced settings in the current Kibana Space where the rule is being created from.

I think this agreement does not have a lot of effect on any of the two approaches. #101453 API does not force a developer to bind a log to a Kibana space. It provides a method for resolving a log which accepts a space id in its parameters:

export interface IEventLogResolver {
  resolve<TMap extends FieldMap>(
    definition: IEventLogDefinition<TMap>,
    spaceId: string
  ): Promise<IEventLog<Event<TMap>>>;
}

For its implementation, spaceId is just a string, and we could just rename it to namespace and pass this value from parameters of a rule instance.

Final thoughts

I easily could be just biased towards #101453, but I feel like it provides a better API in general (althought it can be not perfect, missing certain methods etc).

But given the time left before 7.14 FF and overall fatigue from working on alerts-as-data/event-log/RAC stuff, I think as of now we should proceed with #102586, because "progress, simple perfection".

We need to ship something and move forward, and with #102586 theres much more chances to finalize this implementation sooner.

[marshallmain]

Thanks for summarizing Georgii! I'm copy pasting the note I sent to Georgii on slack here to summarize my perspective, developed over the past 2 weeks.

At a very high level, there are 2 primary goals I have in mind for the eventual converged Alert Data client.

1. Ease of understanding for developers who may not have worked with it before. Since this client is shared across multiple teams and doesn't have clear ownership right now, it's even more critical IMO that it's simple for developers to understand how the client works.
2. Flexibility as the RAC initiative evolves. Since we're developing a client to be shared across teams, the client must be able to meet both teams requirements (and ideally future teams requirements as well) without requiring significant changes to accommodate them. To me, this implies that the client should act as a library of useful functions for the most part, allowing solutions to compose those functions as they see fit.

I spent 2 days or so comparing the RuleDataClient with the draft consolidated EventLogService to build a mental model of each implementation, assess the existing features, and start estimating the difficulty of adding on the additional required features to each implementation. After those 2 days, I felt very confident in my mental model of the RuleDataClient, but I was still struggling to remember how the abstraction layers fit together in the EventLogService. I could follow the call stack when looking at a specific piece, but the number of calls into various classes meant I would quickly forget the details of what each class did and stored. As for features, your comment does an excellent job summing up the all the key differences we were aware of at the time. When I started digging in to the implementations, I realized that additionally the namespacing strategy differed between them. The EventLogService creates templates and indices at the same time and creates a separate template for each space, whereas the RuleDataClient does not create concrete indices until documents are written and the template creation process is decoupled from the index creation. This positions the RuleDataClient well to support the arbitrary namespaces that users can define for their RAC alerts since a single set of templates already serves all namespaces for a particular solution's alert indices. Due to the requirement for arbitrary namespaces, it looked to me like the EventLogService would have to be updated to decouple the template creation from index creation - in the process breaking the existing template/index versioning and rollover logic in the EventLogService.

So overall, there appeared to be 2 paths forward:

• Continue building a consolidated implementation on the EventLogService
  • Decouple template creation and index creation to support arbitrary user defined namespaces (namespaces are defined per-rule)
  • Update versioning and index rollover logic to handle decoupled creation process
  • Need to get buy-in from Observability to replace their existing usage of RuleDataClient with EventLogService
• Build a consolidated implementation on the RuleDataClient
  • Add versioning and index rollover logic immediately - we can go without this initially, but when the time comes where we need to migrate it's easier if we have it built from the beginning
  • Add static typing for RuleDataClient writer as a follow up - lack of static typing is not a blocker for migrating rules to use the RuleDataClient

Since (1) there are no blockers preventing the RuleDataClient from being used as the basis for Security Solution rules in RAC - any enhancements are great but not required for shipping so we can more easily make enhancements in parallel with migrating rules, (2) the RuleDataClient is in use already by Observability, and (3) I was more confident in my understanding of the RuleDataClient implementation and thus felt that other devs new to the consolidated client would have an easier time working on it, I decided to try adding the versioning and rollover logic to the RuleDataClient.

[marshallmain]

Summarizing next steps after meeting with @banderror and @xcrzx:
Priorities:

• Simple, declarative way to create schemas for .alerts-* indices
• Solution plugins should not have to know about internal details of the rule registry
  • We shouldn't have to create a ready signal in solution plugins and pass it into the rule data client constructor
  • Devs should be clearly guided away from inefficient patterns even if they don't know the internal details of why it's inefficient. e.g. with the rollover check in getWriter, a single writer should be used for the duration of a rule executor. getWriter should not be called repeatedly. We should make this clear in documentation, and also rename getWriter to something that sounds more appropriate like initializeWriter - this has a better chance of letting devs know that initializeWriter is not something you want to call repeatedly.
• Rule registry should be able to enforce that templates created with the RuleDataPluginService have the required technical fields mapped correctly

Details:

• RuleDataPluginService should provide a function that takes a "log definition" in some form, creates the appropriate component and index templates, and returns a Promise<RuleDataClient> for that log. Rule executors can then await this promise to ensure that they don't write to the log until it is properly bootstrapped. This removes the need for solution plugins to define a "ready signal" to pass into the RuleDataClient that signals when the templates are created, instead the rule registry handles all the synchronization.
  • "log definition" implementation TBD - initially the log definition could be as simple as an array of component templates and an index template that would be passed to RuleDataPluginService.createOrUpdateComponentTemplate and RuleDataPluginService.createOrUpdateIndexTemplate. A schema for the log can be passed in as an optional parameter alongside the log definition to get static typing for the documents written by the RuleDataClient writer.
  • In the context of the current security solution RuleDataPluginService usage, we'd take the templates here and pass them in to a single function like RuleDataPluginService.bootstrapSolutionTemplates(templates): Promise<RuleDataClient> instead of imperatively creating the templates and later directly instantiating a RuleDataClient.
  • The RuleDataPluginService can automatically add the technicalComponentTemplate as the final component template in the index template, ensuring that the technical fields will be included and mapped correctly.
  • The log definition should be simple and flexible, allowing solutions to define arbitrary component templates
  • A more advanced log definition could be defined as a set of FieldMaps that the RuleDataPluginService would transform into the appropriate component and index templates. This would enable the RuleDataPluginService to build the TS types for the log automatically. However, this could also be done as an additional refactor after starting with a simpler implementation.
• The technical component template is the only required template for .alerts indices. The rule registry may provide other component templates that solutions can share for ease of use, e.g. the full ECS component template.

This approach should adopt the declarative style from the event_log. The main difference is it aims to be a lighter-weight implementation that encapsulates template bootstrapping details while providing some flexibility in log definitions. Rather than caching objects for repeated retrieval from the service, the RuleDataPluginService will simply create templates and return a Promise<RuleDataClient>. Solution plugins will be responsible for passing the RuleDataClient around to the appropriate places where it is needed.